Forensic contest: Puzzle #1

I found this interesting website that post puzzles for interested indiviuals like myself to try and solve with the possiblilty of winning prizes too. The URL is http://forensicscontest.com/. In this blog, im gonna show you how to solve puzzle #1, http://forensicscontest.com/2009/09/25/puzzle-1-solution-anns-bad-aim.

1. Download the required pcap file, evidence.pcap from the website
2. First thing i did was open up the pcap file in wireshark and applied a display filter to look at the traffic to whom anns computer, 192.168.1.158 was involved in(ip.addr eq 192.168.1.158)
3. Upon analysis of the first few packets i determined the name of Ann's im buddy was "Sec558user1"
4. I right clicked on the first packet then selected "Follow tcp stream"
5. Upon further analysis, i've determined that the first comment in the conversation was "Here's the secret recipe. I just downloaded it from the file server. Just copy to a thumb drive and you're good to go"
6. To find out the name of the file that was transferred, there are two ways i used to determine that.

• Method 1 command: "# strings evidence.pcap |more". This method can take awhile and is not the best but eventaully i saw the filename "recipe.docx"
• Method 2. First i used tcpflow to seperate the streams then ran them through xxd.
  command: "# tcpflow -r evidence.pcap". I noticed a communication line between ann's computer and another local but unknown ip of 192.168.1.159. I then did "# xxd 192.168.001.158.05190-192.168.001.159-01272 | more". Voila, recipe.docx is being sent to some unknown user using the OFT protocol

7. A simple google search got me the necessary bytes being asked for, "50 4B 03 04"
8. convert the necessary file to a post-script plain hexdump file for editing purposes, "# xxd -ps 192.168.001.158.05190-192.168.001.159-01272 > hex.txt"
9. Open up the file in a text editor like kate and search for the magic bytes "504b0304". When you find these bytes removed everything before that then save the file.
10. run "# xxd -r -ps hex1.txt > recipe.docx". This converts the hex file back into a raw binary file. Bingo, we have our original file

• An alternate way to do this, "# xxd -s +256 192.168.001.158.05190-192.168.001.159-01272 |xxd -s -256 -r > recipe.docx"
  

11. Get the MD5 sum of the file, "# md5sum recipe.docx", 8350582774e1d4dbe1d61d64c89e0ea1 recipe.docx
12. Using MS word to open the file you get:

Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

CASE SOLVED